Home > Enterprise >  Is it secure to set the visibility of a button Gone?
Is it secure to set the visibility of a button Gone?

Time:09-05

I am developing an app which has different user types (User and Admin) and privileges based on their custom claims in Firebase Realtime DB.

I want a button to be visible only if the user is admin.

firebaseUser?.getIdToken(false)?.addOnSuccessListener { user ->
    val isAdmin = user.claims["admin"]
    if (isAdmin == true) {
        binding.btnOnlyAdminActivity.setOnClickListener {
            val intent = Intent(context, OnlyAdminActivity::class.java)
            startActivity(intent)
        }
    } else {
        binding.btnOnlyAdminActivity.visibility = View.GONE
    }
}

The code above works fine, but I wonder if this approach would arise a security problem such as a regular user detects that there is a gone button and clicks that somehow.

CodePudding user response:

Client side validation of roles (custom claims) is used mostly for conditionally rendering the UI only. Firebase also has a REST API that can be used to access your Firebase project so that app side check is irrelevant.

The databases/storage should be protected with Security Rules that can be modified only by your Firebase project members. You should validate the custom claims in the rules (or your backend servers if any). So even if anyone tried to access database/storage directly, the requests will be rejected if they are unauthorised.

You can additionally setup Firebase App Check that ensures the requests are coming from your own application only. That should reduce direct usage of the REST API.

To learn more about Firebase security rules, checkout:

  • Related